Fearing data leak, Bengaluru local body to update Covid testing portal with OTP system

BMP Chief Commissioner Gaurav Gupta claimed that no data had been leaked from the portal.

In a bid to avoid more instances of data leak from its PHAST (Public Health Activities, Surveillance and Tracking) portal, the Bruhat Bengaluru Mahanagara Palike (BBMP), the local municipal body governing the Karnataka capital, Friday announced that a one-time password (OTP) system will be incorporated soon into the online service. The portal was pulled down on Wednesday after officials were intimated of a possible data breach of “sensitive health records.”

BBMP Chief Commissioner Gaurav Gupta claimed that no data had been leaked from the portal. “While one could enter the phone number provided at the time of Covid-19 testing to get details including test result among others, the portal will now seek an OTP before allowing access to the information. The updated version of the portal would be made avaialable soon,” he said on Friday.

The data that was hosted on the PHAST website, included records of name, age, gender, patient ID, ICMR Test ID, lab name, Covid test result (whether positive or negative), date of sample collection and receipt, sample type, hospital name (if patient was hospitalised), and the status of symptoms.

Earlier this week, Free Software Movement of India (FSMI) — a coalition of organisations promoting adoption of free software — had pointed out the possibility of a security lapse explaining how it was easy for any data broker to harness such details by writing an automated script to access and use the information.

“Everyone’s Covid-19 tests data is being published by BBMP’s contractor Xyramsoft. We notice that anyone’s Covid-19 data can be accessed by simply querying with their phone numbers,” a letter addressed to Rajendra Cholan, BBMP Special Commissioner (Health and IT) mentioned.

Kiran Chandra General Secretary of FSMI noted that this was a “clear violation” of the IT Rules (2011) indicating an “appalling lack of attention” to protect an individual’s personal and sensitive data. “The lack of proper security practices for sensitive health record data, especially in the midst of the peak of the pandemic can lead to misuse, exploitation and poses a catastrophic risk overall,” he said.

In the letter dated May 25, FSMI had also demanded an immediate shutdown of the PHAST website until access management and a security audit was done. “We also demand that BBMP take action against the software company Xyramsoft for its carelessness in building software without any security,” the coalition had urged.

However, this is not the first time that the Karnataka government was brought under the scanner for similar glitches. Last year, in July, the personal data of those affected by Covid-19 and were in home quarantine were hosted in public domain for hours on the ‘Parihara’ website, linked to the web-application run by the same name. Details of patients across 30 districts could also be downloaded and exported to an Excel-sheet format.

Tech activists had then pointed out that several mini-startups had built location-search tools using the published citizen data, resulting in social exclusion of quarantined people.

Source: Read Full Article